undefined | Better HN

0 pointsrichardwhiuk5y ago0 comments

Compatibility with other libraries and testing effort. You end up back porting everything.

Ubuntu backports the fixes them instead (i.e. Ubuntu's 1.0.2 will be patch with CVE fixes going forward instead of backporting 1.1 wholesale).

0 comments

kakwa_5y ago

Also stability of APIs/ABIs: within a major Ubuntu/Debian version, there is an implicit contract in most cases that if you build something against a library/software provided by the distribution, it will not break after an upgrade of said library/software.

To enforce that, a policy of version freeze+backport of bug/security fixes is almost always necessary as very few upstream projects will maintain separate branches and have a clear policy about API/ABI breakages.

(OpenSSL is actually somewhat of an exception in that regard).

ymse5y ago

OpenSSL actually did a breaking API change as recent as 1.1.1e (reverted in 1.1.1f to be fair):

https://bugs.python.org/issue40018

And broke the ABI in 1.0.2g:

https://bugzilla.redhat.com/show_bug.cgi?id=1313509

I don't mean to bash on OpenSSL here and agree they generally do an exceptional job at keeping the public interface stable. Just offering some context. These things are difficult.

tialaramex5y ago

To be fair "these things are difficult" if your ABI is terribly designed.

If you've used modern libpng you can thank people like me for the fact you don't need to recompile or even sometimes rewrite code after every micro version release.

Example of something libpng did before we "gently" explained that it's stupid: re-order the public data structures in a "bug fix" release. Because the old order looked untidy see, and so long as every program is recompiled with the new version of the library it won't break...

j / k navigate · click thread line to collapse